Bug 143894

Summary:

Use ASan poisoning to taint moved-out-of Refs

Product:

WebKit

Reporter:

Alexey Proskuryakov <ap>

Component:

Web Template Framework

Assignee:

Alexey Proskuryakov <ap>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

andersca, benjamin, cmarcelo, commit-queue, darin

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch	none

Description Alexey Proskuryakov 2015-04-17 13:55:14 PDT

It has been suggested that we can taint Refs to check that they are not used after moving out.

I'm not sure if we can practically expect to catch any bugs (the pointer is already zeroed out), but this seems easy enough to do, and harmless. Could catch something one day.

<rdar://problem/19443723>

Comment 1 Alexey Proskuryakov 2015-04-17 13:56:50 PDT

Created attachment 251042 [details]
proposed patch

Comment 2 Sam Weinig 2015-04-17 15:33:58 PDT

Comment on attachment 251042 [details]
proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=251042&action=review

> Source/WTF/wtf/Ref.h:38
> +#if ASAN_ENABLED
> +extern "C" void __asan_poison_memory_region(void const volatile *addr, size_t size);
> +extern "C" void __asan_unpoison_memory_region(void const volatile *addr, size_t size);
> +extern "C" bool __asan_address_is_poisoned(void const volatile *addr);
> +#endif

I think this should probably be in Compiler.h, since it seems like this could be generally useful.  Perhaps we should also put it behind some nicer macros / inline functions.

Comment 3 WebKit Commit Bot 2015-04-17 15:46:47 PDT

Comment on attachment 251042 [details]
proposed patch

Clearing flags on attachment: 251042

Committed r182977: <http://trac.webkit.org/changeset/182977>

Comment 4 WebKit Commit Bot 2015-04-17 15:46:53 PDT

All reviewed patches have been landed.  Closing bug.